Who protects the internet? In part, it’s this man – General Kevin Chilton, US STRATCOM commander and the head of all military cyber warfare. We’re broadcasting an interview tonight with General Chilton, in which he discusses the threat of cyber warfare, along with his other remits of space warfare and the US nuclear deterrent. Chilton is fascinating, and amongst other things has been a NASA space shuttle pilot, logging over 700 hours in space. You can watch the full interview here (and it is embedded below).

The discussion with General Chilton brings to light a crucial question, however. Is the internet actually protected? The military remit is to defend the .mil networks, prevent online espionage, and develop offensive strike capabilities. But who’s protecting the rest? Given its integration with every aspect of our lives and economy, it’s surprising just how little we know about who defends our electronic nervous system.

The Threat

There’s copious discussion about exactly how vulnerable the US is to online attack. The alleged Russian DoS attacks on Estonia in 2007, and on Georgia this summer, highlighted the potential damage of state sponsored attacks. China has also been developing cyber warfare capabilities for some time, mounting online intelligence operations against Taiwan, and almost certainly against the US. The Chinese military has openly stated that it plans to be able to win an “informationized war” by the middle of this century. Russia, Israel and Romania are also alleged to have high-level cyber warfare capabilities.

This developing threat from state actors led Sami Saydjari, CEO of Cyber Defense LLC, to testify (pdf) to the US House Committee of Homeland Security in 2007, saying: “The US is vulnerable to a strategically crippling cyber attack from nation-state-class adversaries.” Such an attack has the potential to turn the US “from being a superpower to a third-world nation practically overnight.”

I should point out that many have disputed the apocalyptic nature of Saydjari’s statement. Kevin Mitnick, the reformed hacker, noted in a recent phone call:

“Could we face a mass DOS attack, as in Georgia and Estonia? I don’t think so. I think it would be more of a surveillance operation to get intelligence. Technically you could have a mass attack against the thirteen root nameservers around the world. But as for cyber war, I don’t think we’re at that point yet, I think it’s over-stated.”

Regardless of the impact of an offensive cyber attack, everyone appears to agree on the insidious danger from online intelligence gathering. Former counter-terrorism chief Richard Clarke eloquently summarized this in Foreign Policy recently:

“People tend to think about attacks that change things—turn off power grids, or whatever. And while that’s possible, what is happening every day is quite devastating, even though it doesn’t have a kinetic impact and there are no body bags. What’s happening every day is that all of our information is being stolen. So, we pay billions of dollars for research and development, both in the government and the private sector, for engineering, for pharmaceuticals, for bioengineering, genetic stuff… and all that information gets stolen for one one-thousandth of the cost that it took to develop it.”
Who protects us?

The problem is that it isn’t clear who has the remit for comprehensive defense of the internet. The US military and intelligence agencies defend government networks and track targets online, both domestically and abroad. A new Bush-ordained funding boost in January this year will help them become more coordinated. However, as Richard Clarke goes on to note, “the problem is that much of what we need to protect is not in the U.S. government; it’s in our private companies and our private networks”.

The Department of Homeland Security’s National Cyber Security Division operates various public-private initiatives, such as the rather prosaic National Cyber Security Awareness Month. But beyond this, the general response appears highly fragmented with little grand oversight or public-private coordination. I emailed Jonathan Zittrain to ask his opinion on ‘who protects the internet’. He replied:

“Basically no one. At most, a number of loose confederations of computer scientists and engineers who seek to devise better protocols and practices — unincorporated groups like the Internet Engineering Task Force and the North American Network Operators Group. But the fact remains that no one really owns security online, which leads to gated communities with firewalls — a highly unreliable and wasteful way to try to assure security.”

Hackers to the rescue?

When Obama appoints a white house CTO, there will at least be an official figurehead in charge of this matter. Proposed candidates for the role currently include Eric Schmidt, Steve Ballmer, Jeff Bezos and Julius Genachowski from IAC.

However, perhaps the future of internet security really lies in the hands of the community. Indeed, Jonathan Zittrain talked about ‘good hackers’ on our show in May, and he argues the importance of community policing in The Future of the Internet. The last few years of the internet have been about empowering the masses, and removing intermediary apparatus – so why not leverage the community to defend its cyber territory? Indeed, this is already happening, to a certain extent. Just look at Dan Kaminsky, a computer consultant who discovered a fundamental flaw in DNS, allowing him control over any website online. This flaw was astounding in what it gave access to – yet Dan Kaminsky didn’t turn to a government agency or organization, or abuse the hack himself. Instead he made a phone call to Paul Vixie, one of the creators of the BIND9 DNS routing software, and they assembled a team of civilians and private companies to resolve this apocalyptic vulnerability.

It will be interesting to see what happens from here. And whilst it’s certainly entertaining to envision vigilante hackers and rag-tag groups of high school kids overcoming nation states, I think there’s more serious matters at stake. The way that the internet community reacts and operates with state apparatus in defending against cyber threats will be a crucial indicator of our future society. How reliant are we on the nation-state to protect us? Will it ever be possible for internet communities to erode the relevance of the nation state? Or will the internet turn out to be just as Hobbesian as the real world has been?

Charlie Rose’s discussions with General Kevin Chilton and Jonathan Zittrain are available at our website, charlierose.com. Matt Rutherford can be reached at matt@charlierose.com.